User login
Courtesy navigation
Search
Blog posts tagged IT security
Protect your business from a cyber attack
April 25, 2013
There are an estimated 4.8 million small and medium-sized enterprises (SMEs) in the UK, many with their own ecommerce websites.
In 2011, 32 million people purchased goods or services online. That gives the UK one of the world's biggest internet-based economies. And it's why keeping your website safe and secure from cyber-attacks has never been more important.
SMEs are easy targets
As a business owner, you’re probably dealing with plenty of critical day-to-day issues. Perhaps worrying about your website’s security is not top of your list of priorities.
You may be wondering why hackers would want to target a small business rather than big brands like Lush and Adidas. The simple answer is that hackers know smaller businesses have fewer resources dedicated to online security, making them easier targets.
For those involved, cyber crime is big business. It costs the global economy $338bn a year which, according to Symantec, is significantly higher than the global narcotics black market.
Since the beginning of 2010, 36% of all targeted cyber-attacks have been directed at SMEs.
With around 44 million attacks a year taking place against home computers, businesses and government systems in the UK, an offline website means a loss of income. For instance, PayPal reportedly lost £3.5m due to a cyber-attack in 2010.
As well as lost revenue, a website security breach can result in losing vital data, your reputation and even your ranking on Google. Ultimately, it could damage your business beyond repair.
Six simple tips to protect your site
Here are six simple but effective tips to protect your business against cyber attacks:
- Choose your passwords carefully. Password123 is not a secure password! Make sure passwords have at least eight characters and use a combination of letters and numbers. Here are some ideas for creating strong passwords.
- Install anti-malware and anti-virus protection for your website in the same way you would your PC. Reviews can help you determine if the product is right for your business.
- Use SSL to encrypt data. SSL provides a secure connection, protecting data sent between a customer’s web browser and your server. Your hosting provider can help set this up for you. Learn more about SSL.
- Avoid using wireless networks. If you must use them, make sure you're using the latest encryption standard, WPA2. This offers government-grade security.
- Keep programs and hardware up to date. This helps block malware that thrives in older equipment and out of date software. If you are using Windows or a Mac you can set up weekly update checks. You should also do this for any software you use to manage your website.
- Educate employees about the latest online threats. This way they’ll know clicking on bad links or opening dodgy attachments can compromise data. All your staff should be as vigilant at work as they are at home. If in doubt, don’t click it.
So, if website security wasn’t on your priority list, it might be time to add it now.
Guest post by Rahul Mistry, content writer for www.heartinternet.co.uk. You can follow Rahul on Twitter and Google Plus.
|
Sponsored links: |
People don't trust businesses with personal data (but hand it over anyway)
April 18, 2013
One in four consumers don't trust any company to secure their personal information online. That's according to a survey of 1,000 UK consumers conducted by information security and risk management firm Integralis.
Although a quarter of all respondents said they don't trust any organisation to take care of their personal data online, there is some relatively good news in one sector: nearly 65% of people said they do trust banks with this information.
However, businesses operating in other fields need to do more to win the trust of their customers. Only 36% of people trust online retailers with their personal data, 24% trust supermarkets and just 22% trust online payment systems like PayPal.
No trust, no problem
Looking for a deal?See the latest business tech bargains we've found online. Or buy IT equipment now from these trusted suppliers: |
But despite this general lack of confidence, people still use these services in droves. For instance, over half of people surveyed said they do grocery shopping online at least once a week. While people might not trust online retailers with their data, they're still willing to share it.
"Online shopping is unbelievably popular, even though people don't necessarily trust it," confirms Mick Ebsworth, information security consulting practice director at Integralis. "People are worried about the types of information these site sask for."
"Far too often, consumers are prepared to supply core personal details - like mother's maiden name or date of birth - to organisations that don't need that information."
This can put consumers at increased risk of ID theft, should that information fall into the hands of online criminals.
"People need to always think about the information they provide," explains Ebsworth. "Does an organisation need it? Your bank might not be attacked, but your account at another site with lower security might be. So why use the same passwords?"
Don't ask if you don't need it
Although consumers might be making mistakes by supplying personal information to firms that don't need it, the buck really stops with the organisations requesting it. If they want potential customers to trust them more, they need to be more circumspect about requesting information.
Ebsworth has some advice for online businesses: "Firstly, you need to put in place the technical controls to keep personal information secure. You need the right level of encryption and good levels of data storage. Think about who has access to that information - in your organisation, with third parties, and online."
"Secondly, only request information that you really need. Recognise that the consumer has a role to play here, but that you can help them."
Finally, he has a sober reminder for firms that might still be unconcerned about how they handle this data. "Everybody who collects personal information has a duty to take care of it. Although there's nothing in the law to say how you should deal with a data breach, the Information Commissioner's Office can levy big fines if they believe you haven't adhered to good practice."
Does your business need all the information it collects from customers? Do they trust you to take care of it?
Don't panic, but 23% of your staff are stealing from you
April 17, 2013
If dodgy employees all looked like this, they'd be easy to spot.
A staggering one in ten employees has stolen important data from their employer after handing in their notice, reveals a new study from IT security specialist LogRhythm.
It seems that downloading a company's customer database onto a USB stick or copying crucial documents to CD is much more common than you might have thought. Of the 2,000 employees studied, the survey found that a massive 23% had taken confidential data from their workplace.
Often, people steal client details or product information in the hope that it'll give them a head start with their new employer. But 14% of people who admitted taking data did so to help set up their own rival company. And 23% did it out of revenge, because they felt undervalued and poorly treated.
Employers know the problems
Looking for a deal?See the latest business tech bargains we've found online. Or buy IT equipment now from these trusted suppliers: |
Clearly, anyone stealing data from their employer is in the wrong. But that doesn't mean businesses should make it easy for employees to get their hands on the good stuff.
This research also surveyed employers, 47% of whom said they don't have any system in place to stop staff accessing confidential information or taking data.
So, all-too-often it's lax security and a lack of concern that makes it easy for staff to walk away with crucial company assets.
Worse, 60% of employers said they never change passwords or access codes, which is a little like leaving the door wide open for former employees to come and grab what they like.
You wouldn't let a staff member keep their keys to the office after they've left, so why would you let their passwords keep working?
Are you at risk?
If this survey is at all representative, there's a good chance your business is at risk of data theft. So, what are you going to do about it?
- Restrict data access. Sensitive data like customer information should only be available to employees who absolutely need it. It should never be sent by email or stored in shared locations.
- Close user accounts promptly. If a member of staff has been sacked, close their network account immediately and revoke all their access rights.
- Don't share passwords. Shared passwords are the enemy of good security. Not only can people continue to use the password once they've left, but it's also much harder to tell who's been accessing the data.
- Rotate access codes regularly. If you have a PIN-entry system for your building or a wireless network with a password, make sure you have a system to change them regularly - probably every month.
Finally, there's an aspect to this that leaves a nasty taste in the mouth. The research found 53% of people who've stolen data use it to get a head start in their next job, or to impress their new boss.
If the new employer decides to make use of that data, what sort of message does that send? And do they really think that employee isn't going to do the same to them when the time comes?
In short: if you've ever benefited from a data theft, don't be surprised if you end up suffering sometime too.
|
Sponsored links: |
Can you spot the phishing website?
April 10, 2013
Looking for a deal?See the latest business tech bargains we've found online. Or buy IT equipment now from these trusted suppliers: |
You've probably heard of phishing. It's where scammers send you an email that looks like it's from an official organisation, usually your bank.
The email usually contains links to a fake log in page which collects your username, password and other security details. If you enter them, the scammers will subsequently use your credit card, empty your bank account or commit some other crime against you.
Some phishing websites are laughably bad, with terrible grammar, bad spellng and shonky design. But others can be very convincing.
Spot the phishing site
To show you just how convincing phishing sites can be, here are two screenshots for you. One is the genuine sign in screen for the Co-operative Bank's online banking service. The other is a fake sign in screen from a phishing email I received.
You can click the image to see both screens full size. Can you tell which is which?
So, how did you do?
Well, the top screenshot is of the genuine sign in screen. The second one is the fake.
If you're familiar with this bank's online interface, you'll probably realise that the site asking for your full name is not genuine. But if you don't use your online banking often or simply aren't paying 100% attention when you click the link, it's easy to see how you could be fooled.
Three principles to avoid phishing
Checking the address of a site like this is usually the most foolproof way to see if it's fake. In this case, it was easy to tell, because the URL clearly wasn't the Co-operative's normal address:
It isn't always as obvious as this through, so here are three foolproof ways to avoid phishing traps:
- Don't click sensitive links in emails. If an email from a trusted source like your bank asks you to log in to your account, do so by manually typing in the website address rather than clicking a link.
- Pay attention to security notices. Most phishing emails will be caught by email filters, security software or web filtering tools. If you see a warning about an email, link or website, don't ignore it. (It's amazing how many people do.)
- Let the sender know your concerns. If you're in any doubt at all about whether an email or website is genuine, get in touch with the organisation it claims to represent. A quick phone call should be enough to confirm your doubts.
And as a final warning, don't ever enter sensitive log in information if you have any concerns at all about the website you're on. Even if it just looks or feels a bit funny, that's reason enough to stop and think before you make a mistake.
Note: don't click links in dodgy emails like we did. They can be dangerous, even if you don't enter in any sensitive information.
Did we just nearly break the internet? What the Spamhaus attack says about our security
March 28, 2013
If you noticed your internet connection slowing markedly yesterday, with some sites sluggish and others unavailable, for once it might not have been down to your broadband supplier.
That's because spam fighting service Spamhaus was subjected to an enormous distributed denial of service (DDoS) attack.
It seems that Spamhaus blacklisted a controversial hosting provider, Cyberbunker, because its servers were apparently being used to send lots of spam. 'Friends' of Cyberbunker then bombarded Spamhaus with the biggest DDoS attack ever.
Are any of us innocent?
The incident spawned headlines like Global internet slows after 'biggest attack in history'. And with so much malicious data flying through the internet's wires, some innocent internet users found their service was disrupted as a result.
But how innocent are those internet users? Is our slack security as individuals partly to blame for the scale of the disruption?
It's an interesting question because this attack was coordinated using a huge 'botnet' of internet devices, including a large number of insecure broadband routers.
It's the exact threat experts recently warned us about, where hackers exploit weaknesses like default passwords to take control of these devices.
Looking for a deal?See the latest business tech bargains we've found online. Or buy IT equpment now from these trusted suppliers: |
Your router is part of the problem
As more details of the Spamhaus attack emerge, we might get a better idea of what devices it involved. But as The Guardian reports, that innocent-looking router in the corner of your office could have been a part of the problem:
"Some of those requests will have been coming from UK users without their knowledge, said Blessing [an internet expert]. "If somebody has a badly configured broadband modem or router, anybody in the outside world can use it to redirect traffic and attack the target – in this case, Spamhaus."
Obviously, whoever initiated the attack is ultimately responsible. However, the scale of it was partly due to the vast number of insecure internet devices out there.
We're all to blame
So, who is to blame? Manufacturers who sell their products with inadequate security and don't properly explain how to beef it up? Internet service providers that make their routers less secure so they can log in remotely when they need to? IT adminstrators who don't update their software promptly?
Or is it all of them, and each of us too?
The internet is a decentralised, open network. That makes it very difficult for any single body to effectively police this type of incident, and means that we're collectively responsible for the internet's security.
Yesterday, we almost broke it. Perhaps it's time we all took the time to be more secure online.
How to hack 420,000 internet devices
March 25, 2013
Here's a stark reminder that internet security perhaps isn't quite as tight as we'd all like.
An anonymous researcher managed to take control of 420,000 insecure internet devices like webcams, network routers and printers.
They were use to effectively create a huge network of internet devices that could be used for dodgy purposes like taking websites down via denial of service attacks. (The researcher didn't go ahead and cause any damage, but the potential was there.)
Standard passwords
Looking for a deal?See the latest business tech bargains we've found online. Or buy security software now from these trusted suppliers: |
What's striking about this research is both the huge number of devices that could be compromised, and the ease with which it could be done. Quite simply, the researcher accessed each device by trying standard usernames and passwords like admin or root.
In a month where a high-profile cyber-attack against South Korea hit the headlines, it's important for your business to remember that sometimes the simplest hacking attempts - like trying default usernames and passwords - can be just as damaging.
Don't neglect the obvious
The anonymous researcher summed up the problem in a post online:
"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."
In short: choose your passwords carefully. And whenever you add a new piece of equipment to your computer network, check if it has sign in credentials and change them if so. If you don't, you could be a part of this problem.
- The ABC of business IT security
- Most small businesses have had a security breach. Have you?
- Emma Watson could bring down your business computers
Image: Rob Kints / Shutterstock.com
Three things you can learn from NatWest's IT woes
March 07, 2013
Image: Flickr user StewC
If you were one of the millions of NatWest customers unable to access online banking, use debit cards or even get cash from a hole in the wall last night, the bank's reputation has probably dropped a notch or two in your mind.
It's hardly the kind of publicity a beleagured banking giant needs. However, major IT outages aren't restricted to banks. They can happen to any business. If one hits yours, it can have an immediate impact on your bottom line and longer-lasting consequences for your reputation.
So, as NatWest fights to deal with today's avalanche of negative coverage, what can you learn from its misfortunes?
Looking for a deal?See the latest business tech bargains we've found online. Or buy online now from these trusted suppliers: |
1. Keep communicating
One of the worst things you can do during an IT problem that affects customers is to go silent.
If you can explain the problem and when it's likely to be fixed, that's great. But even if you're unsure of the cause yourself, just being there to provide some information is better than nothing at all. At least you'll avoid that 'rats deserting a sinking ship' feeling.
Last night, NatWest was quick to apologise via Twitter, although few further updates were posted despite a veritable Twitter storm.
2. Learn from your mistakes
NatWest also suffered a huge outage last summer, which saw some people unable to access their money for days.
Although the bank has said yesterday's disruption wasn't connected to the previous problems, the fact that this is the second major outage in nine months has compounded the reputational damage, with many customers vowing to leave.
If a problem reveals failings in your IT systems, make sure you fix them properly. It may cost you time and it may cost you money, but the cost of inaction could be much larger.
3. Don't be afraid to say sorry
The most insincere apology I can recall in recent years is this classic from Apple. It's a great example of how not to do things.
Look, if your IT systems have failed and your customers were affected, it really is best just to apologise sincerely and explain what you're doing to fix things.
At this stage, being open and honest is the way to reassure customers that the same thing won't happen again.
Then make sure it doesn't happen again, of course. If NatWest suffers another outage any time soon then it'll take more than few words to restore its reputation.
The ABC of business IT security
March 04, 2013
It’s good to refresh your knowledge when it comes to something as crucial as IT and data security. So here’s a slightly tenuous ABC of business IT security. Plus a D and an E for good measure.
A is for anti-virus
Get good anti-virus software and keep it up to date. You usually have to subscribe to software updates, and don’t wait for this to expire before you renew it. Even a few days without adequate protection is asking for trouble.
Spyware - which attempts to extract information from your computer without your knowledge - is another threat. However, most anti-virus packages also include anti-spyware protection too.
You can shop around for the best anti-virus deals. Reputable suppliers include McAfee, Kaspersky and Bitdefender.
B is for backups
Ideally, all the data on your computer system needs to be backed up to external hard drives. This ensures that you won’t lose sensitive information if your computers are corrupted by spyware or viruses.
Inform your staff that they need to back up their data at the end of each day, and regularly remind them to do so. External hard drives don’t cost the earth (you can see a selection here on Amazon), and you’ll be saving yourself a lot of hassle if the worst comes to the worst.
C is for control
When it comes to protecting data from prying eyes, control is the key. If there are files on your company’s shared drive which you don’t want all your staff to view, you should control who can access them.
If you use Microsoft Windows, here’s how to restrict access to a certain folder:
- Right click the folder and click Properties
- Click the Security tab
- Click Edit and then Add
- Add the usernames of the people you want to access the folder into the box that appears on screen
- Click Ok
That’s it – you’ve created a list of people who can access that particular file or folder on the shared drive.
D is for data encryption
Encrypting your computer systems makes it harder for hackers and fraudsters to access sensitive business information.
This can be anything from emails and financial figures to documents and databases hat are stored on computers or servers in your business. You can also protect portable storage devices like USB drives, which protects them in the event of loss.
Setting up encryption software can be a little tricky, but this guide to encrypting your laptop is a good place to start. It’s also worth speaking to your IT supplier if you need help.
Encryption is an excellent way to ensure your business transactions are protected from unwanted attention. Even if a fraudster manages to steal a disk containing sensitive information, they should still be unable to read it.
E is for external help
Instead of relying on your own knowledge about maintaining computers, it is a good idea to have an trusted IT supplier you can turn to. They will help troubleshoot any problems with your system, allowing you and your staff to focus on running your business.
Even seemingly minor problems should be flagged up, as they can indicate larger problems with your IT security. It all helps avoid any lingering suspicions that your company has been targeted.
It’s often a good idea to choose a local IT supplier, so you can ask business contacts and friends who they’ve used in the past. Perhaps they could even negotiate you a discounted rate!
Written by online security expert, James Archer, on behalf of online retailer The Safe Shop
With IT risks worrying businesses most, here's how to cope
February 11, 2013
A survey into SME attitudes to risk has identified which of 24 'risk scenarios' (that's things that could go wrong, to you and me) are most likely to keep business owners awake at night.
The research, commissioned by McAfee, revealed UK SMEs view their technology systems and the integrity of their data as the biggest areas of risk.
In contrast, things that might traditionally have been perceived as significant risks - like big marketing campaigns or competitor initiatives - are seen as being much less likely to have a detrimental impact on business performance.
This graph shows the ten highest risks selected by businesses in the UK:
Although it's perhaps depressing that new technology is responsible for so many worries in business, this survey also suggests a greater awareness of the risks, which bodes well for long-term improvements.
What's more, most companies can reduce most of these risks by taking some fairly simple steps.
To start with, it's a good idea to create some sort of security plan. It doesn't have to be an enormous document, but writing even a short plan will force you to think about what the key risks are.
Once you've done that, make sure you've covered these basics:
- Get good IT security software from a reputable firm such as McAfee, Kaspersky, Bitdefender or Trend Micro. It can go a long way towards protecting your computers from viruses and hackers.
- Make sure you're on top of your IT maintenance and install software updates in good time. This will help you eliminate software bugs that hackers can use to break into your systems.
- Sort out your backups. Make sure you have a solid backup system in place and test it regularly. Cloud backup systems like Livedrive, Mozy and BackupGenie are good options for smaller companies.
- Think about how you'd cope in an emergency. You need to know how you'll carry on working in the event of problems and what steps you'd need to take to get things back to normal.
Finally, always remember that maintaining good IT security is an ongoing process. It's a good idea to find an IT supplier you trust and keep track of new security trends that could affect you.
Is 'bring your own device' good for business?
January 10, 2013
Does anyone in your business have this many devices? (Image: kawanet on Flickr.)
As any marketer should, I watch streams of Twitter hashtags and have Google Alerts set up to monitor topics in my business realm.
For nivio, this means I keep a close eye on #DAAS (desktops as a service) #SMB (small-medium business), #VDI (virtual desktop infrastructure) and #BYOD (bring your own device), among others.
Of these feeds, bring your own device is by far the most interesting. Though the concept isn't new - I've been using my personal devices for work in some form for more than a decade - BYOD as a business problem is receiving a lot of media coverage. And, as with most new tech challenges, the coverage is divided on whether BYOD's cost-savings and access benefits really outweigh the security risks.
Your staff want BYOD, and it's happening
Your business is likely already engaging in BYOD. If your staff use personal devices for work, either as their primary system or when they work remotely via laptop, tablet, or smartp hone, your business, too, is part of the BYOD trend. And, you're far from alone: according to a Spiceworks survey (PDF link) more than 75% of small businesses are actively managing personal devices as part of their IT strategy.
But what do small and new business really need to know about BYOD?
Most businesses already support BYOD in the workplace, and if you don't, the chances are your staff are accessing information and files remotely on personal devices anyway.
Having policies in place to limit remote access could be a deterrent and reduce the risks your business faces. However, these require additional IT infrastructure to enforce.
Plus, employees want remote access for flexibility in when, where, and how they work. They want to get information while on the go. And they don't want to juggle a company smart phone and tablet along with their own personal devices.
If not managed properly, BYOD is a security risk
Data security, especially for law, health, and accounting firms, is crucial. Your business needs to ensure information is secure and that you aren't exposed to undue risks by allowing remote access.
You need to integrate employees' own devices into your existing systems, and give your staff support to troubleshoot problems when they occur.
Making BYOD secure
Generally, you have two options for mobile security;
- Mobile device management systems can handle security at individual device level. These are a good fit if your business already has significant in-house IT infrastructure.
- Comprehensive IT management platforms can manage security across all the platforms and devices in your business - including devices owned by your staff.
Is there really a cost saving?
Every business is different, but many companies can see significant cost savings from BYOD.
You'll almost certainly save on hardware costs, and many companies will also save on the software and maintenance costs that go along with running a fleet of devices.
- Trends, risks and benefits of BYOD
- You can't avoid bringing your own device
- The advantages of giving staff more IT choice
Lara Franklin manages content and marketing for nivio, a cloud-based platform providing comprehensive IT infrastructure enabling BYOD and anywhere access for businesses.
Most small businesses have had a security breach. Have you?
December 04, 2012
If government statistics are accurate, even the smallest companies need to give serious thought to IT security. That's because official figures show 76% of small businesses have reported a cyber-breach in the last year alone.
You can tell the government is alarmed by the statistics, because it has decided to establish a 'Cyber Reserve' force to deal with the security threats posed by online crime. It's uncertain what this means in practice, as the details won't be revealed until next year.
However, it should signal a more co-ordinated approach to combating cyber-crime, with the goverment recruiting experts to fight back against sophisticated hackers and fraudsters.
Although things have moved on considerably since this 2006 report found internet fraud was slipping through policing procedures, it still sometimes seems like online criminals are several steps ahead of the authorities.
Your business is at risk. Really.
Just in case the message hasn't sunk in yet, let's make it absolutely clear: your business could be a target for online criminals.
We recently spoke to security expert Don Smith who explained that smaller companies often find themselves singled out in online attacks because they're seen as soft targets:
“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
"If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the intellectual property of big clients, for example, a creative agency working on a big account."
“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”
Clearly, that begs the question: what should you do about it? Hopefully, you'll have got the basics right. You'll be protecting your network with a firewall, and each individual computer and server in your business will have its own firewall too.
You should definitely be running security software too (try Norton Internet Security, McAfee All Access or ESET).
But to really get a grip on your IT security, you need to spend a little time on security planning. The first stage is to identify your most valuable data, so you can find ways to protec it.
It's worth reading the full interview with Don to understand a bit more about the security issues your company could face. We also have some really useful information about putting a security plan together and assessing the risks your business faces.
With just a little preparation, you can reduce the chance of your business becoming another IT security statistic.
- Staying safe in the changing world of IT
- Simple IT security for smaller companies
- Five mistakes you could be making with your IT security
(Police lantern image: conner395 on Flickr.)
Could you keep your tech going through a blackout?
October 09, 2012
These won't run your server for long. (Image: mjtmail (tiggy) on Flickr.)
The UK could run out of energy generating capacity in winter 2015, reckons Ofgem, which says as spare generating capacity drops we could see energy prices rise too.
With the average business electricity bill at £2,600, that's not exactly something to look forward to. However, it could be a drop in the ocean compared to the loss in productivity a single blackout could cause.
No power, no business
Losses mount up very quickly when you can't use your computer, speak to customers over the phone or even see to pack orders and send them out. When there's no power, you can't do business.
Traditionally, businesses have planned for power interruptions by plugging their servers into uninterruptible power supplies (UPS). If you suffer a power cut, a UPS will continue supplying power. Chances are you won't be able to work, but you will be able to shut your server down properly, protecting it from damage and hugely reducing the risk of data loss.
If you have a server on your premises, you really should use a UPS. It's that simple. They start from around £100, but you'll need to spend a bit more to get a decent model like the APC Smart-UPS.
There are lots of UPS models available from companies like PC World Business, eBuyer and Servers Direct.
Introducing the BlackCurrent
But if you want to actually carry on working, you need significantly more juice than a typical UPS will supply. Step forward industrial battery specialist UK Powertech, which has launched a 'compact energy storage device' for smaller businesses and homes.
Called the BlackCurrent, it charges off the mains when the supply is good, then supplies electricity back to your equipment when required. You should be able to continue running computers, servers and critical gear for an hour or two.
The BlackCurrent does come at a price. It starts at £850, and you'll certainly have to spend more if you want to keep your computers and servers going for long.
Is it worth it? That really depends on your company's approach to risk, and how much damage a power outage could cause your business. But if predictions of power cut doom and gloom are in any way accurate, maybe it's worth considering.
Achieve security standards quickly and cheaply
September 17, 2012
Many companies are finding it’s becoming more common for them to have to comply to security standards.
These include as PCI DSS, which demonstrates you can hold customers’ payment details safely, or ISO 27001/2 which shows you use adequate, proportional controls to protect information.
Complying with standards like these can seem like a costly process. But if you look to change the way you do business rather than making big changes to your existing systems, you can reduce the cost and associated disruption considerably.
Change how you do business
The traditional way in which companies achieve standards compliance is to retrospectively add protective measures to existing business processes.
Having worked in this area for many years, I often see organisations with business processes that really are not set up to make it easy for them to comply with certain standards.
At such times it is worth taking a long hard look at your company. Instead of trying to tag compliance controls on to your processes, take a good look at how you do things.
Wasted technology
I have worked with many companies that have brought in new technology so they can comply with certain standards. However, often this technology is wasted because it is not properly set up. Managers lack either the time or expertise to use it properly.
This technology is only in these businesses because the standards demand it. It’s a tick in the box, but it is neither effective nor doing what it was intended for. In short, it is a waste of money.
The first law of any technology is that it needs to be managed. The second law is that any technology you are unfamiliar with needs to be managed far more than technology you are familiar with.
The problem with standards is that they tend to mandate technologies that many organisations are unfamiliar with.
How it works in practice
I worked with an organisation in the entertainment industry that acquires customer payment card details in two main ways: selling tickets and selling merchandise:
- The organisation’s IT infrastructure was old and had suffered many years of underinvestment.
- The organisation needed to become PCI DSS compliant quickly due to pressure from its bank.
- It would have cost £3m – £4m to update and improve the company’s systems to the required standards.
With a little lateral thought, we realised that ticket sales could be outsourced to the current market leader and merchandising could be moved to stand alone machines.
This meant the organisation didn’t have to worry about achieving compliance at all, and so could focus on redeveloping its network to meet business requirements rather than compliance obligations.
It does sometimes require some creative thinking, but it’s clear that making relatively simple business operational changes can lead to real savings in standards compliance costs.
- Secure your online shop
- An easier way to take credit cards?
- How to know what’s best for your business
Dave James is managing director of Ascentor, a company which helps businesses manage information risk. You can also follow him on Twitter.
Emma Watson could bring down your company computers
September 14, 2012
While the world's attention is diverted by a story involving a member of the Royal Family and partial nudity, don't let your guard down. Although the Duchess of Cambridge may be in the headlines today, there's a far more urgent threat to your IT systems out there: Emma Watson.
Security firm McAfee reckons the Harry Potter star is 2012's most dangerous celebrity. And it's not because she's particularly adept at hacking into Windows XP or an expert at guessing passwords (although who knows what damage a few well-placed spells could wreak?).
No, according to McAfee's research, anyone searching online using terms like 'Emma Watson and nude pictures' runs a high risk of landing on a dangerous website that's infected with malware. As the firm explains:
"McAfee research found that searching for the latest Emma Watson pictures and downloads yields more than a 12.6% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware."
Now, you might justifiably argue that anyone searching for things like that deserves everything they get from the web's seedy underbelly. But if they're doing it on work time, using your company computers, you should be worried.
Sure, you can discipline the employee responsible, but if your server's infected with a virus or a trojan has stolen your customer list then you'll have bigger problems to worry about than whether your staff member actually found what they were looking for.
Your company policies should - of course - make it clear that this sort of thing is not allowed, but that's not much use either once your computers are infected. And that's why every single PC in your company should have security software installed and up-to-date.
Packages like McAfee's own All Access software (£74.99) will guard against viruses, trojans and spyware, and show a warning screen when you try to visit a dodgy website. Alternatives include AVG Internet Security (£97.99) or Kaspersky's Small Office Security package (possibly best value of the lot because it covers five computers for £159.99).
While packages like these won't entirely guard against employee mistakes, stupidity or bad luck, they do provide a strong line of defence for your company. Even if you're not in the habit of searching for nude pictures of Harry Potter actors.
Image of Emma Watson: Flickr user david_shankbone under Creative Commons.
Five ways to create passwords that are hard to crack
September 12, 2012
Hardly a week goes by without one company or another being hacked and user passwords being made public on the internet. Do we have any hope of keeping our passwords safe?
Actually we do have some hope, but we all have to play our part and choose strong passwords.
Hopefully, the websites we have online accounts with are doing their utmost to protect our personal information, and in particular our passwords. But even if they are, that’s not the end of the story as simple passwords can be cracked quite easily by hackers.
We need to do our bit by making sure we have strong passwords that are hard to crack. Here are five ways.
1. Think of a word and a number
Word: Olympics
Number: 1066
All you need to do is mix these up a bit to come up with a good password. For example:
10Olympics66
Olym10pics66
1Ol0ym6pi6cs
Top tip: make sure you mix it up. The password Olympics1066 is not as strong as the others.
2. Think of a lyric, name and a number
Lyric: She was more like a beauty queen from a movie scene
Name: Michael Jackson
Number: 1983 (Song released in this year)
Choose the first letter from the phrase and mix the initials and number in. For example:
SwmlabqfamsMJ1983
MJSwmlabqfams3891
M19Swmlabqfams83J
Top tip: once you decide how you want to mix it up, stick with it. If the mixing it up part could confuse you then you could write down a memory jogger – read on to find out how.
3. It doesn’t have to be too long
Phrase: Just like that
Name: Tommy Cooper
Number: 1921 (his birth year)
Password:
JltTC1921
You get the idea!
4. Write down a memory jogger
We all need help remembering things so why not write down something to help jog your memory? It is very unlikely that someone will be able to decipher a decent memory jogger, because you can write things down in a way that makes perfect sense to you but is useless to anyone else.
Lets take the Tommy Cooper example. You could have ‘Tommy’ written down in your address book, followed by a memory jogger, like this:
Tommy: Idp-pdI
In this case the memory jogger stands for initial-date-phrase-date-initial
Using this would give a password of:
T19jlt21C
5. And finally…
Remember, that really need to change your passwords every so often, because you can never be quite certain if your password is in the wrong hands.
The biggest problem most of us face is that we have so many online accounts that we forget what they are. Give yourself a fighting chance and keep a list somewhere. As you join new shopping sites, social sites and other sites, add them to the list. If you want to change a password, you will at least know where to look!
Meet the information saboteurs, aka your employees
August 28, 2012
Who poses the biggest threat to your company data? You've probably thought about external security threats, but have you stopped to consider the damage your employees could do?
Information risk management specialist Ascentor reckons nearly 15.9m people are ready to damage their employer's business, and says over two million already have. These statistics and more are summarised in this infographic, and you can see the full version over on the Ascentor website.
See the full version of this infographic >>
Simple IT security for smaller businesses
July 04, 2012
Keeping your IT system secure and protecting your data can be a complex task. A secure IT system has many elements, from a firewall and anti-virus software to strong passwords and physical security.
The human factor
Then there's the human factor. It's no good having the strongest passwords imaginable if your staff write them down or share them with each other.
For all but the smallest businesses, it's usually a good idea to seek expert IT security advice. Remote data access, cloud services and mobile devices are creating more fragmented IT systems - and with less centralisation, it's hard to keep everything under lock and key.
Free IT security guide
To help businesses get to grips with the different elements of their IT security, the Information Commissioner's Office has released a new guide. It's a little light on specifics, but it does contain a very useful checklist to help you cover all major areas of your IT system.
It's excellent reading if you want a good overview of the IT security challenges you face, or want to brief yourself before you speak to your IT supplier or security consultant.
Download the guide from the ICO website >> (PDF, 300K)
Friday Donut tip: generate unique, memorable passwords for any website
June 29, 2012
Passwords and website security breaches seem to be in the news constantly. Yet people still insist that passwords are generally a nuisance, and would rather have simple ones or use the same one for every website.
But that's risky. Having just one of those passwords revealed could potentially allow an attacker to access many of your other online accounts.
One really simple way to ensure you have a unique password is to use the name of the website in the password itself.
Come up with a password (or better yet, a passphrase) that you will remember. For example:
Ilikepineapples
That will be the base for your other passwords. For your Google account, you would use the password:
IlikepineapplesGoog
For your YouTube account you would use:
IlikepineapplesYout
Easy! You can obviously make the passwords as complex as you like, using numbers, symbols and both upper and lowercase letters.
Bonus tip:While browsing through the settings for my Gmail account, I spotted two-step verification. This is an excellent way to secure your Google account using your mobile. Every time you sign in on a new device, Google will call or text you a code which you must enter on the website. You won’t have to do this again for 30 days, unless you select otherwise. This way you’ll also know if anyone is trying to break into your Google account, as you will get an unexpected automated phone call from the big G. |
NB: I would recommend including numbers, symbols and capitals in your password. I didn't here for simplicity.
Previous Friday Donut tips:
How hackers target your passwords
February 08, 2012
When you enter a gym’s locker room, there are hundreds of lockers. Each has its own combination lock. Without giving it too much thought, you open your locker using the combination only you know, which is the same combination you provided when you signed up at the gym.
Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, they identify themselves with their username and prove that identity with the password.
The service checks the password. If it matches, the user is allowed to access the service.
We can think of the service as the locker, the username as the locker’s number and the password as the lock’s combination.
Problems occur, of course, if someone else has your combination. It could be that you use a very popular combination, or someone saw you using the same combination on your bag.
Alternatively, it could be that someone broke into the gym and saw the list of locks and combinations. Let’s take a look at these aspects in the virtual world.
How hackers break your passwords
On the internet, some passwords are more common than others. Hackers use lists of the most common passwords to increase their chance of guessing a user’s password quickly. The hacker tools used to guess these passwords are called crackers. Two types of crackers exist - online and offline:
- Online crackers use trial and error to break into a service, testing different passwords until the right one is found. The speed at which they can test passwords is limited by the speed at which the service accepts and handles requests. In many cases, online crackers can only try a few passwords because most services lock accounts after a certain number of incorrect passwords have been entered.
- Offline crackers are used when passwords are stolen from an online service, but are stored in a digested format. This means the service stores a mathematical transformation of the password rather than the password itself – it’s an extra security precaution. An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares them to the list. Offline crackers can run incredibly fast, depending on the power of the computer running the cracker.
To reduce the effectiveness of offline crackers, many services add a step to the process called salting. Using a salt, a different digest is created each time, even if the password is the same. So although salted passwords are not completely hack-proof, they’re much harder to guess.
How to secure passwords in your business
So, that’s how passwords get cracked. Now, how do you stop that happening to your business?
On an individual level, always use strong passwords – and don’t use the same password on different websites. Think about what information the password is protecting. You want a really strong one for your online banking, PayPal and other online services you consider sensitive.
Use a really strong password for your email too, as getting access here can allow a hacker to wreak havoc by resetting your passwords on lots of other sites.
In your business, it’s important to realise that you can’t trust your users to choose strong passwords themselves. If you give them the choice, they’ll simply choose weak passwords. In fact, two years ago a database containing 32 million passwords was leaked to the web. Analysis of these passwords showed that 20% of users chose the same passwords from a pool of 5,000 words.
It’s up to you – or your IT administrator - to keep the passwords secure. Here’s how
- Enforce strong password policies. Force passwords to have a minimum length, ban common passwords and require a mix of characters (digits, letters, uppercase, lowercase, etc).
- Make sure passwords are not transmitted in the clear. Passwords are vulnerable to interception if they’re transmitted across networks or the internet. Always use encryption, or use a technique that ensures the password itself never travels through the network.
- Don’t store passwords in plain text. Doing so means that if a hacker breaks into your systems, they can just grab and make off with your passwords. Salt and digest a password before storing to the database.
- Detect and block brute force attacks. Put obstacles in the way to stop online crackers trying lots of different passwords for user accounts. Use CAPTCHAs and restrict the number of times people can retry their passwords.
- Force people to change passwords regularly. Many businesses require users to change passwords every couple of months, or when they suspect an account has been compromised.
- Allow and encourage passphrases instead of passwords. That means using sentences instead of passwords. Although that may be longer, they’re easier to remember. And because they’re longer, they’re more difficult to break.
Implementing many of these precautions will require help from your IT staff or IT supplier. But if you’re going to maintain the security of your systems and website, it’s vital you think carefully about enforcing a strong password policy.
Noa Bar-Yosef is Senior Security Strategist at Imperva.
Small business technology advice, tools and resources | IT Donut
Copyright © 2010-2013
